[Openstack-security] [Bug 1446406] Re: Insecure signing_dir configuration in barbican-api-paste.ini

Thierry Carrez thierry.carrez+lp at gmail.com
Thu Apr 30 12:42:05 UTC 2015 

** Changed in: barbican/kilo
    Milestone: kilo-rc2 => 2015.1.0

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1446406

Title:
  Insecure signing_dir configuration in barbican-api-paste.ini

Status in OpenStack Key Management (Barbican):
  Fix Committed
Status in Barbican kilo series:
  Fix Released

Bug description:
  It appears that Barbican sets signing_dir to "/tmp/barbican/cache" in
  etc/barbican/barbican-api-paste.ini (Reference:
  https://github.com/openstack/barbican/blob/master/etc/barbican
  /barbican-api-paste.ini#L42)

  A Nova bug from 2013 (https://bugs.launchpad.net/nova/+bug/1174608) mentions that they had the same basic issue, and it's a security issue because:
  "This means that if an attacker populated the /tmp/keystone-signing-nova
  with the appropriate files for signautre verification they could potentially
  issue forged tokens which would be validated by the middleware. As:
      - The directory location deterministic. (default for glance, nova)
      - *If the directory already exists it is reused*"

  This Nova bug was issued CVE-2013-2030: http://www.cve.mitre.org/cgi-
  bin/cvename.cgi?name=2013-2030

  This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode:
  2015-03-23 16:59:15 zigo_   I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix.
  2015-03-23 16:59:28 zigo_   The signing_dir directive should never be set to /tmp like this.
  2015-03-23 16:59:33 zigo_   Best is to simply remove the directive.
  2015-03-23 16:59:57 zigo_   I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :)

  zigo's suggested fix was to remove the directive. It appears Cinder
  has taken this approach for their project
  (https://bugs.launchpad.net/cinder/+bug/1185098)

To manage notifications about this bug go to:
https://bugs.launchpad.net/barbican/+bug/1446406/+subscriptions

More information about the Openstack-security mailing list